CVE-2025-30386 Overview
CVE-2025-30386 is a use-after-free vulnerability [CWE-416] in Microsoft Office that enables local code execution. An unauthorized attacker can execute arbitrary code in the context of the current user after the victim opens a crafted Office document. Microsoft published the advisory on May 13, 2025, covering Microsoft 365 Apps, Microsoft 365 Copilot, Microsoft Office 2016 and 2019, and the Office Long Term Servicing Channel 2021 and 2024 on both Windows and macOS. Successful exploitation results in high impact to confidentiality, integrity, and availability, and exploitation requires user interaction such as opening a malicious file.
Critical Impact
Successful exploitation grants arbitrary code execution as the current user across supported Microsoft Office and 365 Apps builds, enabling malware installation and data theft.
Affected Products
- Microsoft 365 Apps (Enterprise, x64 and x86)
- Microsoft 365 Copilot (Android) and Microsoft Office 2016 / 2019 (x64 and x86)
- Microsoft Office Long Term Servicing Channel 2021 and 2024 (Windows x64/x86 and macOS)
Discovery Timeline
- 2025-05-13 - CVE-2025-30386 published to NVD and addressed in Microsoft's May 2025 security update
- 2026-05-22 - Last updated in NVD database
Technical Details for CVE-2025-30386
Vulnerability Analysis
The issue is a use-after-free condition in Microsoft Office document parsing logic. The application references a heap object after the allocator has freed it, allowing an attacker to reclaim the memory with attacker-controlled data. When Office subsequently dereferences the dangling pointer, the controlled data is interpreted as a valid object, including function pointers and virtual table entries.
The attack is local and requires user interaction. A victim must open a crafted Office document delivered through email, a shared drive, or a download. The Preview Pane is also a viable trigger surface for Office use-after-free flaws, which reduces the interaction burden on the victim.
Exploitation yields code execution at the privilege level of the user running Office. Attackers commonly chain such flaws with a local privilege escalation to obtain SYSTEM-level access or use the foothold to stage ransomware, credential theft, and lateral movement.
Root Cause
The defect maps to CWE-416: Use After Free. Office releases an internal object during document processing but retains a reference that is later dereferenced. The lifetime mismanagement between object owners and consumers creates the dangling pointer that an attacker manipulates through specially crafted document structures.
Attack Vector
The attack vector is local with low complexity and no required privileges, but user interaction is mandatory. The attacker delivers a weaponized Office document, and the target opens it in a vulnerable build of Office, 365 Apps, or 365 Copilot. Specific exploitation code has not been published, and Microsoft has not reported in-the-wild exploitation.
For exploitation details, see the Microsoft Vulnerability Advisory CVE-2025-30386.
Detection Methods for CVE-2025-30386
Indicators of Compromise
- Office processes such as WINWORD.EXE, EXCEL.EXE, or POWERPNT.EXE spawning command interpreters like cmd.exe, powershell.exe, or wscript.exe.
- Unexpected child processes of Office writing executables, scripts, or DLLs into %TEMP%, %APPDATA%, or %LOCALAPPDATA%.
- Outbound network connections initiated by Office processes shortly after a document is opened.
- Crash or Watson telemetry showing access violations in Office binaries while parsing untrusted documents.
Detection Strategies
- Hunt for Office applications loading unsigned or unusual DLLs from user-writable paths.
- Alert on parent-child process anomalies where Office spawns LOLBins such as mshta.exe, regsvr32.exe, or rundll32.exe.
- Inspect inbound email attachments and SharePoint uploads for Office documents containing embedded objects or obfuscated payloads.
Monitoring Recommendations
- Enable and forward Microsoft Defender, Sysmon, and Office telemetry to a central data lake for behavioral analysis.
- Track build numbers of Microsoft 365 Apps and Office across the fleet to confirm patch deployment status.
- Correlate document open events with subsequent process, file, and network activity to identify post-exploitation behavior.
How to Mitigate CVE-2025-30386
Immediate Actions Required
- Apply the May 2025 Microsoft security updates to all Office, Microsoft 365 Apps, and Office LTSC installations on Windows and macOS.
- Update Microsoft 365 Copilot for Android through the Google Play Store to the patched release.
- Restrict opening of Office documents from untrusted sources and enforce Protected View and Mark-of-the-Web on downloaded files.
Patch Information
Microsoft addressed CVE-2025-30386 in its May 13, 2025 security release. Patched builds are available through Click-to-Run updates for Microsoft 365 Apps, the Microsoft Update channel for Office 2016/2019 and Office LTSC 2021/2024, and the Mac AutoUpdate channel for macOS builds. Refer to the Microsoft Vulnerability Advisory CVE-2025-30386 for the exact build numbers per channel.
Workarounds
- Enforce Office Attack Surface Reduction rules that block child process creation and Win32 API calls from Office macros.
- Disable legacy Office file formats or require them to open in Protected View when patching is delayed.
- Use email gateway and content disarm and reconstruction (CDR) controls to strip active content from inbound Office attachments.
# Example: enable Microsoft Defender ASR rule blocking Office child processes
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
-AttackSurfaceReductionRules_Actions Enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
